Using IPv6 (Part 1)

Although IPv6 is still fairly unused in the enterprise or home, it is beginning to gain traction, so I thought I should begin to learn about it. These articles there will be a few will chart my investigations into setting up IPv6, starting in this part with two workstations on the same network segment and also connecting them to an IPv6 website on the internet.

I'm not going to explain about what IPv6 as you can find pages of information of this on the Internet, i'm looking at it from the more practical (useful) side about how you can use IPv6 in practice and setup a network to use it.

At the moment there are a few ways that you can use IPv6, the most important ones are:

1. IPv6 native, you use IPv6 natively, your hosts on your network are IPv6 only, you connect using IPv6 compatible routers and firewalls to IPv6 websites, not all sites are IPv6 yet so you might find large parts of the Internet are not available to you. (See section 1 below)

2. Dual Stack (IPv6 and IPv4) - Having both stacks running on the same host gives you the best of both worlds, but adds to the complexity, you have IPv6 enabled, but the IPv6 component must tunnel across the IPv4 devices and networks if it doesn't support IPv6. (See section 2 below)

3. Some sort of tunnel broker that will tunnel traffic across the IPv4 networks, similar to the Teredo type thing that Microsoft offers in Windows. Except you could get your edge router to tunnel out to the IPv6 Internet, even if your Internet connection and ISP is only IPv4.

1. Two Windows 7 Workstations on the same network segment (VLAN)

Okay this is a basic proof of concept test. I have two computers connected to the same VLAN on my network, both run Windows 7 and i've turned on the IPv6 IP stack.

Firstly run IPCONFIG to get the details of the IPv6 connection:

> ipconfig /all

Now from this you can see the IPv6 IP addresses are as below, if you repeat for workstation 2, you'll see that the addresses are different, but start with "fe80" this means it is a link-local address. I.e. one you can use to access the Internet. In IPv6 a host may have mulitple IPv6 addresses, one to connect to other local hosts, one to connect to internet hosts and so on.

Workstation 1: fe80::75c7:d95b:1f7e:65ce

Workstation 2: fe80::949f:66d7:ca65:6668

Now lets do a ping from workstation 1 to workstation 2, and see what happens, note I've added the %11 at the end of the IP address, this signifies the interface I want the connection to go out of, if you don't specify this you may find you can't ping and it tries to resolve the IPv6 address as a hostname.

There we go its working, we can ping from one to the other. You'll notice that this address has been auto selected, we don't have an IPv6 DHCP server (yet) so this link-local is being auto-configured by the PC on the network automagically.

Once of the odd things with IPv6 is you don't need to have a DHCP server, IPv6 is more about the auto configuration of hosts, but i'll come onto this more in the end.

2. Connecting a Windows XP or Windows 7 workstation to an IPv6 website on the Internet using Teredo

Okay so how about now using it on the Internet to access a host off your network, well unless you have IPv6 networking all the way from your internal computer to the web server somewhere on the internet you'll struggle. Microsoft provide within Windows XP and 7 (Vista, cough) the Teredo adapter, you might have seen this when you did an IPCONFIG.

Right so in this example, I have my Windows XP SP3 host on my internet network, I want to be able to connect to an IPv6 website, say: http://ipv6.google.com, if you try and access it on a IPv4 only host you'll not be able to access it, so you need to enable the Teredo adapter.

This will tunnel any IPv6 requests into a tunnel across the IPv4 network and Internet (through any NAT devices, like your network firewall) to a Teredo Relay that will then spit the the traffic out onto the IPv6 Internet for the last mile connection to the IPv6 webserver. The return traffic going back to the Teredo Relay and through the tunnel back to your host.

1. First up you need to make sure that port UDP/3544 is open outbound through your firewall to the Internet, if its not, you won't be able to use the Teredo tunnel. I use a Cisco ASA firewall so you'd need something like this:

At this moment, the IPv6 is enabled, and will decide upon a link-local address of its very own. You can have a look at it with ipconfig /all if you want, but we are not done yet, this link local is no good for accessing things out on the Internet.

4. Right now you need to make a few changes on XP, again you might not need to, the modification of Windows XP Teredo clients can be done with any of the folowing two ways:

4A) Installing the Windows Update KB922819. Note that if you have installed the Peer Name Resolution Protocol (PNRP), which is available in the Windows Update KB920342, then you do not need to install the KB922819 update.

In my case I did option B, because I was running SP3, these two patches above are already installed.

4B) Adding or altering the REG_DWORD value of the \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\GlobalParams\TeredoPrefix entry in the Windows Registry. The REG_DWORD value is interpreted as a 32 bit prefix, in network byte order. To do that just follow the following steps:

i) Run the regedit.exe program: Start -> Run -> Write regedit.exe and then click on OK button. ii) Browse through the registry tree to check if the

Double click the “Teredo Default Qualified” setting, change it from “Not Configured” to “Enabled”, and click OK, then close gpedit.msc.

The setting should take effect rather quickly, but you can do “gpupdate /force” to force a refresh.

5. Right, reboot and log back in and then fire up a command prompt. First thing to do is setup the Teredo client to use a Teredo relay, in my case im using one in France as this is closest, but there's some all over the place, so take your pick.

teredo.remlab.net (France) It provides the new 2001::/32 prefix.

teredo.autotrans.consulintel.com (Spain) It provides the new 2001::/32 prefix.

teredo.ipv6.microsoft.com (USA, Redmon) It provides the new 2001::/32 prefix.

203.233.154.10 (NCA, Korea) It provides the new 2001::/32 prefix.

debian-miredo.progsoc.org (Australia) It provides the new 2001::/32 prefix.

> netsh interface ipv6 set teredo client teredo.remlab.net

6. Now, my machine was on a domain, so you also need to run this command too:

> netsh interface ipv6 set teredo enterpriseclient

7. Right we are ready, so now run this command to see if your tunnel has come up:

> netsh interface ipv6 show teredo

7. Okay it appears to be working, next we'll check our routing, run this:

> netsh interface ipv6 show route

8. Okay this also looks good. Right now we can do a ping test. as below:

9. Using IE, we also get:

10. We are done, we are using an IPv6 website via an Teredo tunnel over an IPv4 network and internet connection. Obviously this is just step one in to my investigation of IPv6, so more will come but it does show that we can use IPv6 is some form. Next I will investigate further into how to begin the migration of our network and hosts over to IPv6 and if its even possible.

11. And for interest, here is the IPconfig when connected, you can see now we have our IPv6 IP addresses:

Link-Local: fe80::21a:a0ff:fe5e:61be

Global (via Teredo): 2001:0:53aa:64c:0:f9f8:2b24

You can always, run an IPv6 test using a website link: http://test-ipv6.com this will allow you verify you IPv6-ness.